Employee data: handle with care!
HR data covers many aspects of the corporate life: they include employee personal data, such as address and marital status, as well as compensation data which are by nature very sensitive – either because the employee doesn’t want to share it , or because the organisation wants to keep it confidential, at least for its management team. Other data is also highly confidential, such as succession plans in larger organisations. When you are a listed company, you may not want this information to be revealed, as a competitor might be tempted to try and hire your best people.
So the following questions naturally arise: who owns this data? And who is responsible for the management of this data?
There are two possible answers to the 1st question. From a legal point of view, HR data is “owned” by the company itself. When such information is saved into any external IT system, such as cloud-based talent management systems like Cornerstone, the company remains the sole owner of the data. Note that this might be different for consumer applications, where any data stored might become ownership of the application. But who has ever read the terms and conditions of social networks?
Yet in communication we all know that “perception is reality”, which means thatfrom an employee’s perspective, the owner of his/her personal data is not the company, but the employee him/herself. This is a very important aspect, which shouldn’t be underestimated by any organisation. The question usually only comes when the way data is acquired and managed changes , for example when a talent management project is on the way. Most of the time, everyone understands that a properly managed IT system will be able to handle data with more precaution than excel files that can be sent via email without any control whatsoever – or worse, paper forms that can be forgotten in the copier (true story, by the way!).
What does this imply for an HR department? It’s quite clear: the way employee data is managed must be clearly communicated in a transparent manner, as well as the reason why some information is collected. You think this goes without saying? Well, there has been enough scandal in various countries recently to show that some organisations didn’t hesitate to store illegal elements on their staff (such as comments that could include insults), and others were in court under accusation of spying on employee private lives.
These are extreme cases of course, but the important fact here is that employee data management can become a very strong lever to foster dialog between HR and employee representatives and trade unions. In some countries such as Germany, it is something that is already planned by the law, but actually that kind of discussion should occur on a regular basis everywhere, as it shows that the organisation is showing concern and attention regarding information that is considered private and sensitive by their employees.
This leads to the question of responsibility. At a corporate level, it seems logical to consider that the IT department is the ultimate keeper of data security, which means it should be in charge of ensuring that only necessary data is stored, and that it’s done in the most secure way. On the other hand, the HR department itself is where employee data is managed on a daily basis. Therefore, there should be a constant dialog between HR and IT on this topic. HR has the legitimacy to manage employee data, and might even be the sole department to have access to some of the data, yet IT needs to check that the legitimate concern about data privacy is properly taken care of. In conclusion:HR data is effectively handled by HR, but security and access rights are being checked and proofed by the IT department.
At the end of the day, it’s interesting to see that such a dry topic as HR data is actually a very effective way to foster dialog within the company, first between HR and employees, and second between HR and the IT department.